Quick Answer: What Are HR's Main GDPR Obligations?
HR teams must process employee data lawfully (using one of the six lawful bases), keep it accurate and up to date, store it securely, retain it only as long as necessary, and respond to employee data rights requests within one calendar month.
| GDPR Principle | What It Means for HR |
|---|---|
| Lawfulness, fairness, transparency | Tell employees what data you collect and why |
| Purpose limitation | Only use data for the purpose you collected it |
| Data minimisation | Do not collect more data than you need |
| Accuracy | Keep employee records up to date |
| Storage limitation | Delete data when you no longer need it |
| Security | Protect data with appropriate technical and organisational measures |
| Accountability | Document your compliance and be able to demonstrate it |
Which GDPR Applies in the UK?
Since Brexit, the UK has its own version of the GDPR -- the UK General Data Protection Regulation (UK GDPR), which works alongside the Data Protection Act 2018 (DPA 2018). The principles and requirements are largely identical to the EU GDPR, but enforcement is by the Information Commissioner's Office (ICO) rather than EU supervisory authorities.
Lawful Bases for Processing Employee Data
You need a lawful basis for every type of employee data you process. The most relevant bases for HR are:
| Lawful Basis | When to Use It | Example |
|---|---|---|
| Contract | Processing necessary to perform the employment contract | Paying wages, administering benefits |
| Legal obligation | Processing required by law | PAYE, right to work checks, health and safety reporting |
| Legitimate interest | Processing necessary for your legitimate business interests (balanced against employee rights) | Performance management, internal investigations |
| Consent | Freely given, specific, informed, and unambiguous consent | Optional benefits, marketing communications, photos for website |
| Vital interests | Protecting someone's life | Emergency medical situation |
Important: Consent is rarely the right basis for employee data because of the power imbalance in the employment relationship. The ICO advises that consent is unlikely to be freely given where there is a clear imbalance between the parties. Use contract, legal obligation, or legitimate interest where possible.
Special Category Data in HR
Some HR data is classified as special category data under Article 9 of UK GDPR, which requires additional protections:
- Health data (sick notes, occupational health reports, disability information)
- Trade union membership
- Racial or ethnic origin (equality monitoring)
- Religious or philosophical beliefs (for accommodating practices)
- Biometric data (if used for identification, e.g., fingerprint scanners)
For special category data, you need both a lawful basis (Article 6) and a condition for processing (Article 9). Common conditions for HR include:
- Employment, social security, and social protection law (Article 9(2)(b))
- Preventive or occupational medicine (Article 9(2)(h))
- Explicit consent (Article 9(2)(a)) -- but remember the consent limitations above
Privacy Notices for Employees
You must provide a privacy notice to all employees explaining:
- Your identity and contact details (and your DPO if you have one)
- What personal data you collect
- Why you collect it and the lawful basis for each purpose
- Who you share it with (payroll provider, pension provider, HMRC, insurers)
- How long you retain it
- Employee rights (access, rectification, erasure, restriction, portability, objection)
- How to complain to the ICO
When to provide it: At the point of collection -- ideally during onboarding or in the employment contract pack.
Data Retention for HR Records
There is no single statutory retention period for all HR data. Apply the principle of keeping data only as long as necessary:
| Record Type | Recommended Retention | Reason |
|---|---|---|
| Payroll and tax records | 6 years after end of tax year | HMRC requirements |
| Employment contracts | 6 years after employment ends | Limitation period for contract claims |
| Disciplinary records | 6 years after employment ends (or per policy) | Potential tribunal claims |
| Recruitment records (unsuccessful) | 6 months after decision | Discrimination claim limitation |
| Health and safety records | 40 years (for certain workplace injuries) | Limitation Act 1980 |
| Pension records | 6 years after benefits cease | Pension regulations |
| Right to work checks | Duration of employment + 2 years | Immigration regulations |
| Maternity/paternity records | 3 years after end of tax year | HMRC |
Subject Access Requests (SARs)
Employees have the right to request a copy of all personal data you hold about them. This is called a subject access request.
Key requirements:
- Respond within one calendar month (can extend by a further 2 months for complex requests)
- Provide the data in a commonly used electronic format (PDF, CSV)
- The request is free (you can charge a reasonable fee only if the request is manifestly unfounded or excessive)
- You must search all systems -- HR software, emails, paper files, managers' notes
- You cannot withhold data simply because it is embarrassing or inconvenient
- You may redact data about third parties if disclosing it would breach their privacy
Common SAR pitfalls in HR:
- Forgetting to search managers' personal email or notes
- Missing data in archived or legacy systems
- Not redacting third-party data properly
- Exceeding the one-month deadline
Data Protection Impact Assessments (DPIAs)
A DPIA is required when processing is likely to result in a high risk to individuals. In HR, this might include:
- Introducing employee monitoring (email, internet, GPS tracking, CCTV)
- Using automated decision-making (algorithmic recruitment screening, performance scoring)
- Processing large-scale special category data (health surveillance programmes)
- Implementing new HR technology that processes employee data in new ways
A DPIA should:
- Describe the processing and its purpose
- Assess the necessity and proportionality
- Identify and assess risks to individuals
- Identify measures to mitigate those risks
Employee Monitoring and GDPR
If you monitor employees (email, internet use, phone calls, CCTV, GPS tracking), you must:
- Have a clear and lawful purpose for monitoring
- Conduct a DPIA before starting
- Inform employees that monitoring takes place, what is monitored, and why
- Minimise intrusion -- do not monitor more than necessary
- Have a monitoring policy in your employee handbook
The ICO's Employment Practices Code provides detailed guidance on monitoring.
International Data Transfers
If you transfer employee data outside the UK (e.g., to a parent company in the US, or using cloud services hosted abroad), you must ensure adequate safeguards are in place:
- UK adequacy decisions (countries deemed to have adequate protection)
- Standard contractual clauses (for countries without adequacy decisions)
- Binding corporate rules (for intra-group transfers in multinational organisations)
Using Grove to Manage GDPR Compliance
Grove keeps all employee data in one secure system with role-based access controls, audit trails, and built-in retention management. When an employee makes a subject access request, Grove can generate a complete data export in minutes rather than days.
Get started with Grove and simplify your HR data protection compliance.
Tags:
The Grove Team
Grove HR
The Grove Team writes about HR best practices, compliance, and workplace culture for Grove. Helping UK businesses cultivate thriving teams.
